Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Updating SSL keystore

Hi Simone,

I guess you mean details about what I do about the reload?

Well, here it comes but since I embed Jetty this may be of little use to others. And I took the liberty of taking a hackish shortcut to test if it would actually work for me...

My Jetty embedding is done in a class called JettyServletContainer that sets up a Server instance. It exposes some setup methods to add HTTP-ports, HTTPS-ports, directory-contexsts and servlet-contexts in order to decorate the server before actually starting it.

The method that adds servlet-contexts adds a reference to the wrapping JettyServletContainer instance to the ServletContexHandler attributes. That way Servlet instances can access the wrapper via the ServletContext of a HttpServletRequest. I extended the method that adds HTTPS-ports to collect a list with all the resulting SslContextFactory instances inside the wrapper. Then I added a method reloadSslCertificates that iterates this list and calls reload on each SslContextFactory instance. I provide a dummy consumer that does nothing. Note that I normally only have one HTTPS port in my application so the list will have a size 1.

Then it is simply a case of using request.getServletContext.getAttribute("container").asInstanceOf[JettyServletContainer] or something similar and call the reloadSslCertificates on it somewhere.

I warned you: it is a hack but for now it seems to work. If I am doing something wrong or even dangerous please let me know. I may just be tempted to leave it as it is for now...



On 02/08/2017 11:47 AM, Simone Bordet wrote:

On Wed, Feb 8, 2017 at 11:40 AM, Silvio Bierman
<sbierman@xxxxxxxxxxxxxxxxxx> wrote:
Hello all,

I just want to report back about this: it works like a charm for me. We
implement multi-tenancy with client-specific SSL certificates using Jetty
SNI support. The keystore needs to be updated/extended frequently and until
now we had to restart the server to get the new certificates available.
Being able to do this while running is awesome.
Great !

Would be awesome if you can detail your solution.
We are interested at real world use cases, especially for this one
where Jetty provides the basic mechanism, but applications have to
write a bit of code to actually make use of the feature.

Thanks !

Back to the top